tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Pascual Forner <lpasc...@ival.com>
Subject Re: Authenticate with X509 certification
Date Mon, 09 Jun 2008 06:38:09 GMT
No, because I want that the certificate was
required ONLY when I acces to some pages.
In fact, this is how now works, but sometimes
the method getAttribute("javax.servlet.request.X509Certificate")
returns null.

Finally, I store the certificate in the session, and get it
from there when I need it.

thanks,

   Luis

ahuelsing escribió:
> Hi,
> 
> you have to set clientAuth="true"
> 
> andreas
> 
> Luis Pascual Forner schrieb:
>> Thanks, Bill,
>> I use the JIO connector.
>> That's my server.xml:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <Server port="8006" shutdown="SHUTDOWN">
>>
>>   <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>>   <Listener 
>> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>>   <Listener 
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" 
>> />
>>   <Listener 
>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> 
>>
>>
>>   <GlobalNamingResources>
>>
>>     <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>
>>     <Resource name="UserDatabase" auth="Container"
>>               type="org.apache.catalina.UserDatabase"
>>        description="User database that can be updated and saved"
>>            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>           pathname="conf/tomcat-users.xml" />
>>
>>   </GlobalNamingResources>
>>
>>   <Service name="Catalina">
>>
>>     <Connector port="8081" maxHttpHeaderSize="8192"
>>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>                enableLookups="false" redirectPort="8443" 
>> acceptCount="100"
>>                connectionTimeout="20000" disableUploadTimeout="true" />
>>     <Connector acceptCount="100" clientAuth="false" 
>> disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
>> keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" 
>> secure="true" sslProtocol="TLS" 
>> truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" 
>> truststorePass="XXXXXXX" truststoreType="JKS"/>
>>
>>     <Connector port="8010"
>>                enableLookups="false" redirectPort="8443" 
>> protocol="AJP/1.3" />
>>
>>     <Engine name="Catalina" defaultHost="localhost">
>>
>>
>>       <Realm className="com.ival.tomcat.X509Realm" debug="0" />
>>
>>       <Host name="localhost" appBase="webapps"
>>        unpackWARs="true" autoDeploy="true"
>>        xmlValidation="false" xmlNamespaceAware="false">
>>
>>       <Context docBase="cavi" path="/cavi" reloadable="true" />
>>       <Context docBase="x509" path="/x509" reloadable="true" 
>> allowLinking="true" />
>>
>>       </Host>
>>
>>     </Engine>
>>
>>   </Service>
>>
>> </Server>
>>
>>
>>
>> Bill Barker escribió:
>>> "Luis Pascual Forner" <lpascual@ival.com> wrote in message 
>>> news:48465C00.503@ival.com...
>>>> Hi,
>>>>
>>>>   I need autheticate ONLY with client certificate (i.e., I don't want
>>>> to check any user's database) . I did that follow:
>>>>
>>>>   1. I write a "X509Realm", with a method "authenticate" that
>>>>      only check the validity of each certificate in the
>>>>      certification's chain (don't check if the user exists in
>>>>      any database).
>>>>   2. Declare this new class in
>>>>      "org/apache/catalina/realm/mbeans-descriptors.xml" and
>>>>      "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
>>>>   3. Edit "server.xml" and configure the realm.
>>>>   4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
>>>>   5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
>>>>      "server/classes", with the correct path.
>>>>   6. Restart Tomcat.
>>>>
>>>>   Now, I can authenticate with X509 certificate, and get the
>>>> client certificate with
>>>> getAttribute("javax.servlet.request.X509Certificate"). But,
>>>> sometimes, this method returns null. Why?
>>>>
>>>
>>> Almost certainly means that the client didn't send a cert.  But more 
>>> info on your setup would get a better response.  For example are you 
>>> using the APR or the JIO Connector?
>>>
>>>> regards
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message